IT Asset Management
(Cloud)
When the Inventarisierungsstation identified for communication with the Kubernetes-Inventarisierungsagent von Flexera is configured for the HTTPS protocol, communications are secured
with certificates. The Inventarisierungsstation presents its certificate, and the
Kubernetes-Inventarisierungsagent von Flexera validates that certificate by validating the
Certificate Authority (CA) issuing the beacon certificate using its own local copy
of the CA's certificate. In the common case that the CA is one of the
industry-standard major authorities, such as DigiCert, the Kubernetes-Inventarisierungsagent von Flexera
already has the standard CA certificate bundle included in the Ubuntu operating
system that forms the agent's base. However, if your enterprise chooses to use
internal certificates, or to use certificates issued by a CA that is not included in
the standard bundle, the Kubernetes-Inventarisierungsagent von Flexera must be supplied with the CA
certificate(s) needed to verify the security certificate presented by the Inventarisierungsstation.
Internally, the Kubernetes-Inventarisierungsagent von Flexera relies on components of the standard
FlexNet-Inventarisierungsagent for all interactions with the Inventarisierungsstation.
This means that the CA certificates must be configured in the same way as they are
for third-party deployments of the FlexNet-Inventarisierungsagent on Linux. However,
because in this case the FlexNet-Inventarisierungsagent is installed within a container in
Kubernetes, the process by which the CA certificates file is supplied to the
FlexNet-Inventarisierungsagent is specific to the Kubernetes-Inventarisierungsagent von Flexera.
At the summary level, the process consists of:
- Making sure that your version of the Kubernetes-Inventarisierungsagent von Flexera supports
custom certificates
- Preparing the certificates in the format required by the FlexNet-Inventarisierungsagent
- Storing those certificates in a volume that is to be mounted in the
container(s) where the Kubernetes-Inventarisierungsagent von Flexera is running
- Configuring the Kubernetes-Inventarisierungsagent von Flexera to reference that storage volume so
that it discovers and uses the CA certificate(s).
To use custom CA certificates with the Kubernetes-Inventarisierungsagent von Flexera:
-
Stellen Sie sicher, dass eine ausreichend neue Version des Kubernetes-Inventarisierungsagenten von Flexera installiert ist/wird.
Es muss mindestens Version 1.3.0 installiert sein/werden. Wenn diese oder eine neuere Version bereits installiert ist, sind an dieser Stelle keine weiteren Aktionen erforderlich. Wenn eine frühere Version installiert ist, aktualisieren Sie diese, indem Sie den Standardprozess zum Herunterladen/Installieren befolgen, bis das Skript
install.sh erfolgreich ausgeführt wurde.
Tipp: Wenn Sie nicht wissen, welche Version des Kubernetes-Inventarisierungsagenten von Flexera im Cluster installiert ist: Diese wird in der Version der bereitgestellten Containerimages wiedergegeben. Beispielsweise enthält folgendes Containerimage:
flexera/krm:1.3.0
die Version
1.3.0 des Kubernetes-Inventarisierungsagenten von Flexera. Sie können das Image mithilfe der entsprechenden Controller-Bereitstellung untersuchen (alles in einer Befehlszeile, hier zur Darstellung mit Zeilenumbruch):
kubectl get deployments --namespace flexera
krm-controller -o jsonpath={.spec.template.spec.containers[0].image}
-
Prepare a single certificate file that combines all required client-side
certificates needed for validating the server-side certificates that are
presented by your selected Inventarisierungsstation.
This concatenated certificate file should be saved using the PEM format. Each PEM-format certificate should be base-64 encoded plain text surrounded by a
BEGIN CERTIFICATEheader and an
END CERTIFICATEfooter. That is:
-----BEGIN CERTIFICATE----- MIIDiTCCAnGgAwIBAgIQWO/IibrLpZ5Hts3u3xH7TzANBgkqhkiG9w0BAQUFADAR MQ8wDQYDVQQDEwZ0ZncyazMwHhcNMTAxMTI1MDEyMDM4WhcNMTUxMTI1MDEyODA1 ...... wXvMSERKsNsJ6FwwXFGA3HBrRLTHzqzsfUlUAbV+SBm/FSFkuWsy4QWAuJCbnCnv c3ClFHXqwaIq9UWvO5FR5kD4gK9LZOUY4B7tLTQmpJScFSiPZrIBa1cQ5uWl -----END CERTIFICATE-----
If you have
multiple root CA certificates, simple shell commands allow the
concatenation:
#!/bin/sh rm cert.pem for i in ca1.pem ca2.pem ca3.pem ; do openssl x509 -in $i -text >> cert.pem done
Tipp: Before, between, and after the certificates in the concatenated file (that is, everywhere except between BEGIN and END tags), free text is allowed that can be used, for example, for descriptions of the certificates.
Name your
resulting file
cert.pem. (This file name is mandatory.
Without this name, the FlexNet inventory agent will not detect and use the
certificates.)
-
Save the certificate file in a volume that will be mounted into the containers
where the Kubernetes-Inventarisierungsagent von Flexera is to operate.
The storage may be any type of volume supported by the Kubernetes
VolumeSource type, but common choices include a
configmap or a
secret (the examples
that follow assume that the certificates are stored in a
secret). The volume must be mounted at the path
/var/opt/managesoft/etc/ssl (this happens to be the
default value of the
SSLDirectory option, but in this
situation is mandatory). Also note that the volume must be in the
flexera namespace. If, for example, we name the
secret as
myorg-certificates, the
command line for creating the
secret containing the
certificate
becomes:
kubectl create secret generic myorg-certificates --namespace flexera --from-file=cert.pem
-
Configure the Kubernetes-Inventarisierungsagent von Flexera to reference this volume, using the
spec.monitor.tlsFiles attribute, by editing the YAML file
for the agent's configuration.
For example, using the same example values as above, the relevant extract from
the YAML file
is:
apiVersion: agents.flexera.com/v1
kind: KRM
spec:
monitor:
tlsFiles:
secret:
secretName: myorg-certificates
When the container is instantiated, the controller automatically ensures that the
storage volume is correctly mounted. When the Kubernetes-Inventarisierungsagent von Flexera uses
components (such as the ndpolicy component) of the FlexNet-Inventarisierungsagent to communicate with the Inventarisierungsstation, it also hands off
the CA certificate(s) so that these are used to authenticate the secure HTTPS
communications.
IT Asset Management (Cloud)
Current